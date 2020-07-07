Protection of personal information laws kick in

WORDS ON WEALTH:

Lize de la Harpe, legal adviser at Glacier by Sanlam, says that in essence, Popia gives effect to section 14 of the Constitution, which says that everyone has the right to privacy. "Popia regulates, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy, subject to justifiable limitations that are aimed at protecting other rights and important interests," De la Harpe says.

“Personal information” refers to information relating to an identifiable, living natural person (and, where applicable, a juristic person), including your gender, marital status, age, identity number, email address, telephone number and physical address.

The act also makes provision for “special personal information”, which is information of a more sensitive nature, such as information concerning children, your religious affiliation, race or ethnic background, trade union membership, political affiliation, medical and genetic information and criminal record.

A higher degree of protection is given to this special information.

The “processing” of personal information basically refers to anything the organisation can do with it, from receiving, storing, updating and disseminating it, through to erasing or destroying it.

De la Harpe says the act also provides for the establishment of a regulator, known as the Information Regulator, which will monitor and enforce compliance and deal with complaints from the public.

Conditions for processing your personal information include the following (with certain exceptions):

* The information must be collected from you, with your consent.

It must be done for a specific purpose, must be fit for purpose (in other words, the demands cannot be excessive) and must be kept only for as long as it serves that purpose.

You have the right to know of anything the organisation does with your information and the identity of third parties who have access to it.

You may request the organisation to correct or delete information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

The information must be kept as secure as possible, with the organisation obliged to take precautions against foreseen internal and external risks. Both you and the Information Regulator must be informed of any data breaches that compromise your privacy.

Companies must not only comply with Popia with regard to their clients; they must also comply with regard to their employees. In other words, it is not only companies you deal with as a customer that must protect your personal information, it is your employer too.

In a recent website article, Ahmore Burger-Smidt, Jacques van Wyk and Bradley Workman-Davies at Werksmans Attorneys point out that employers need to ensure that they comply with Popia regarding the processing of their employees’, customers’ and service providers’ information.

“It is also important that their employees are equally aware of, and comply with, these obligations when processing any such information on behalf of the employer,” they say.

Burger-Smidt, Van Wyk and Workman-Davies say it is important that adequate provisions be inserted into employment contracts and that workplace policies and procedures are implemented to ensure compliance. These should include:

The designation of an information officer.

Implementing procedures for processing information lawfully, in accordance with the conditions provided for in the legislation.

Obtaining consent from employees for the processing of their personal information.

Providing training and information to human resources practitioners as well as employees to ensure that information is processed lawfully and that employees, as “data subjects”, are aware of their rights.

Putting in place measures to ensure the processing of special personal information is lawful.

Dealing with any cross-border processing of information.

Implementing procedures to address and deal with any complaints from, among others, employees regarding the processing of their personal information.





REINING IN BIG DATA

The digital age has seen an explosion of consumer data in cyberspace – much of it anonymous, but a great deal that has your name on it – which is used for marketing, among other things.

Although it may be unrealistic to expect the Protection of Personal Information Act (Popia) to counter this global phenomenon, it does give you the right to ask a marketing company, for example, which sends promotional content to your email address where they obtained your contact details.

Christopher O’Flaherty, an IT analyst at BDO Financial Services, says: “Companies use and abuse data, stealing and sharing your data as they please. Cambridge Analytica used people’s data to conduct trend analysis and determine how people would vote in the 2016 Trump presidential campaign in the US and in the Brexit referendum in the UK.”

O’Flaherty points out that although it may be expected that reputable companies will not misuse or unlawfully disseminate your personal information under the new legislation, it will not prevent the misuse of your data by more nefarious organisations, hackers and cybercriminals.

Wayne Mann, director of group risk at The Unlimited, a company that sells a variety of short-term insurance products via electronic marketing, believes that although Popia addresses the responsible and secure processing of data, compliance will negatively affect smaller businesses.

“While larger corporates will, in all likelihood, be able to absorb the cost of compliance and have the resources necessary to implement Popia’s requirements, the additional cost burden is likely to cripple many smaller businesses.

"Their only option will be to pass the cost of compliance on to their customers, which may compromise the affordability of their products or services and ultimately, the sustainability of their businesses.

But it’s not just the cost implications that are sounding the alarm bells for small businesses, Mann says. “Popia will also impact their ability to market cost-effectively - particularly those businesses that depend on electronic marketing.

“Imagine a small company that relies on emailing monthly specials to its 10 000-strong database, which, in turn, generates sufficient revenue to sustain the business. Popia will outlaw this form of electronic marketing unless the people on their database have ‘opted in’, or given their consent to be marketed to in this fashion. Not only does obtaining consent come at a cost; these businesses can also expect their target markets to contract.”

Mann says that currently, under the Consumer Protection Act (CPA), all electronic marketing in South Africa is “opt out” – consumers can pre-emptively block marketing or demand that a company discontinues marketing to them. “The obvious question is, why the change from opt out under the CPA to opt in under Popia?” he says.





BANKS AND SARS

With the South African Revenue Service (Sars) moving to auto-assessments, it will have to source taxpayers’ personal information from banks. How will this work in such a way that there is compliance with the Protection of Personal Information Act?

Monique Jefferson, director of law firm DLA Piper South Africa, says the Act does not seek to create barriers for the sharing of personal information; rather the objective is to ensure protection against unauthorised access.

“Responsible parties may process personal information as long as there is an appropriate justification in law,” Jefferson says.

Jefferson says the sharing of your personal information in this instance can be justified by:

Your consent to your bank sharing your personal information with Sars or any other specified third party;

The bank being required by law to report tax-related information it holds to Sars; and

Sars being required to obtain your personal information to perform its legal obligations.

“To ensure that information is transferred securely, a data sharing agreement may be entered into between Sars and the banks regarding the transfer of all clients’ data for the execution of auto-assessments,” she says.

